Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
24707
Views
0
Helpful
8
Replies

AnyConnect Host Scan / Posture Module Errors

dongill
Level 1
Level 1

‎06-01-2011 01:43 AM - edited ‎02-21-2020 05:22 PM

Hi,

We are running a lab POC for AnyConnect 3.0 in prep for a migration from Cisco VPN Client to AnyConnect [VPN, NAM & Posture] and are having issues with Host Scan.

Essentially, we want to have AnyConnect / ASA check for a file on the local client machine, and scan for Symantec End Point Protection and ensure that it is running. Upon success of this criteria and successful user authentication, access will be granted, otherwise deny.

Our client test machines have predeployed AnyConnect client with NAM and the Posture module [installed from the supplied Cisco AnyConnect predeploy ISO .msi's]. We have no requirement for Clientless SSL VPN Access at this stage.

However, when initiating a VPN connection with Secure Desktop / Host Scan enabled, it fails with the following errors:

Warning dialogue appears:

“Posture Assessment Failed: HostScan Prelogin error”

Ok box is displayed. Click “OK” and then:

“An error has occurred while running Host Scan. Please attempt to connect again.”

Also, during the connection process, the following information is displayed in the AnyConnect VPN window:

“Posture Assessment...Checking For updates [1 – 5 seconds]”

“Posture Assessment...Initiating [1 -5 seconds]”

“Posture Assessment...Updating [1 -3 seconds]”

“Posture Assessment...Initiating [1 – 3 seconds]”

Then the first two errors appears.

-----------------------------------------------------------------------------------------------

On the config side - I have done the following:

1. Enabled Secure Desktop Manager and installed the CSD image [using csd_3.6.181-k9.pkg]

2. Installed a Host Scan Image [anyconnect-win-3.0.1047-k9.pkg] and enabled it.

3. Enabled the host scan extensionsin the Secure Desktop Manager Host Scan Settings [Endpoint Assessment ver 3.4.17.1]

3. Created a Pre-Login policy to check for a text file [named example.dat]

4. Created a DAP policy to check for the text file again, and to look for personal firewall [Symantec End Point Protection].

I'm a little stumped as to why this is happening, as I have pretty much deployed this in line with the Anyconnect and ASA config guides.

Oddly - If I browse to the ASA's URL and log in via weblaunch, I can successfully connect and initiate a VPN with successful host scan and DAP pass, the session is then handed off to the AnyConnect client and everything works nicely. It just doesn't work when using the local AnyConnect pre-deployed client.

Any one have any ideas or pointers of where I may be going wrong?

Any help is appreciated!

Thanks!

Labels:
0 Helpful
8 Replies 8

Marcus Hunold
Level 1
Level 1

‎06-01-2011 08:52 AM

Hey,

first I would test it without point 2 "Installed a Host Scan Image [anyconnect-win-3.0.1047-k9.pkg] and enabled it."

I could dimly remember that I had also some problems a few weeks ago.

Older question from me is here:

https://supportforums.cisco.com/click.jspa?searchID=29591995&objectType=2&objectID=3311354

From where do you know that file anyconnect-win-3.0.1047-k9.pkg is the correct one to use there?

In the ASA pdf there is only something mentioned with "You can upload it as a standalone package: hostscan-version.pkg"

Regards Marcus

0 Helpful

dongill
Level 1
Level 1
In response to Marcus Hunold

‎06-02-2011 04:25 AM

Hi Marcus,

Thanks for your reply - help is appreciated!

On the host scan image - The ASA & AnyConnect 3.0 Config Guides specify that a stand alone host scan image OR an anyconnect package can be used for the hostscan image, the ASA will just extract the hostscan software when required from the anyconnct package on demand.

I have done some further testing, and can confirm that this works fine when using weblaunch..leading me on to my next point...

I beleive the problem is related to using IPSec as the preferred VPN prortocol...

IPSec - I have found that when using IPSec [IKEv2] as the local AnyConnect clients primary VPN protocol [rather than SSL - and set in the local VPN profile], I am unable to connect with HostScan / CSD is enabled, AND regardless of whether HostScan / CSD is enabled, I am unable to push software updates or profile updates too when configured in group policy! The VPN connection just fails. If I turn off any of the "client services" related functions such as profile or software updates in the group policy config [and HostScan / CSD is disabled] I can connect fine.

If I set the local AnyConnect client VPN profile to use SSL as it's preferred VPN protocol, everything works nicely!

I understand that the local client VPN profile, when set to IPsec as the preferred VPN protocol uses a proprietry EAP authentication method and, that changing this to a "Standards Based" eap method [such as GTC etc] will limit the download capabilities needed.

What's odd, is that the local profile on our client is set to use IPSec, and the check box to use a Standards based eap method is not checked - yet the behavoir of the client suggests that maybe it's doing this- non of the client services seem to be available? Very odd.

We are using RADIUS between the ASA and a backend Cisco ACS server with SecureID Tokens as the passcode to auth the users with no cert checking.

Does anyone have any idea how this proprietry IPSec method works?

Thanks again,

0 Helpful

Havik Lee
Level 1
Level 1

‎12-12-2011 10:31 PM

Hi,

I come across very similar situation with you after enabling hostscan, connection using weblaunch is fine, but got the same error when using AnyConnect client to initate the VPN session.

“Posture Assessment Failed: HostScan Prelogin error”

“An error has occurred while running Host Scan. Please attempt to connect again.”

Cannot solve by disabling all settings related IPSec IKEv2.  Is this some kind of configuration issue, client device compability issue or known ASA bug?

0 Helpful

eng.malak
Level 1
Level 1

‎01-14-2012 06:18 AM

Guys , any update about this case ?

0 Helpful

Havik Lee
Level 1
Level 1
In response to eng.malak

‎01-14-2012 06:25 AM

Disable the standalone hostscan feature, but enable the CSD feature, that hostacan will work without error no matter IKEv2 or SSL VPN.  This solution is provided by Cisco TAC.

0 Helpful

eng.malak
Level 1
Level 1
In response to Havik Lee

‎01-14-2012 07:05 AM

Thanks Havik for the prompt reply , i have latest ASDM and i have no standalone image just the CSD image eventhough i disabled hostscan exenstion feature but still have the same problem , pleae find attached image

0 Helpful

Havik Lee
Level 1
Level 1
In response to eng.malak

‎02-20-2012 10:38 PM

My case is a little bit different with yours I guess.  I suggest upgrading your ASA to the latest version first.

0 Helpful

eng.malak
Level 1
Level 1
In response to Havik Lee

‎02-21-2012 12:08 AM

I upgraded the anyconnect  to Cisco anyconnect secure mobility 3.0 and it's working fine .

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents